The Author – Bart Busschots
Creative Commons
Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License
Sep
11
Eircom Exposes Its Broadband Customers to Serious Security Risks
Filed Under Computers & Tech, Security on September 11, 2007 at 12:37 am
I had heard complaints from people in the past that Eircom didn’t seem to do the whole security thing properly at all. I guess I just hopped they’d have sorted themselves out by now. They haven’t. I’m not sure if it’s down to incompetence or just not caring about their customers, but, in my book there are no valid excuses for leaving your customers exposed. Eircom have chosen to give their customers a wireless router. This makes things a lot simpler for the customer since it means they don’t have to go messing around with cables and such, but it potentially opens them up to significantly higher security risks. In the relationship between an Internet Service Provider (ISP) and a customer, the ISP must be the one on top of security issues. The average broadband customer cannot realistically be expected to be a security expert. Customers can only be expected to follow instructions from their ISP, and they have every right to assume that these instructions will not expose them to serious risks. Having gone through the process of setting up Eircom broadband for my grandfather last weekend I can tell you they are totally failing to protect their users by instructing their customers to set up their networks in a way that is highly insecure.
[tags]Eircom, Broadband, Ireland, Security, WEP[/tags]
The Flaws
There are two fundamental flaws in Eircom’s default setup and I’ll look at each in turn.
The first problem is that no password is set on the router by default. This leave the configuration open to change by any person or program/script at or running on any computer on your home network. At first glance this may not seem like a big problem, but it is. Modern web technologies like AJAX make it trivial for websites to user your web browser to launch attacks against your router. The worst-cast scenarios would go something like this:
- You get an email from a friend telling you about a cool flash game they found on the net
- You have some time on your hands so you follow the link and start to get engrossed in the game
- While you’re playing the game your browser is executing a malicious piece of JavaScript on the same page as the game in the background
- Since your browser is running on your machine it has full access to your home network – the script simply scans for known makes and models of router and tries to access the configuration pages behind you back
- You notice NOTHING as your browser invisibly finds your Eircom router without password and re-configures the firewall on it to allow full access to your machine from the outside world
- Now that your router’s firewall features have been neutralised you are wide open to attack from anywhere in the world. The owner of the site can now use any known remote attack against your now exposed machine and soon takes it over.
- The attacker silently installs a web server on your machine and starts serving out child pornography from YOUR computer
- Millions of perverts from around the world now leech YOUR bandwidth to view this illegal material now being hosted on your computer without your knowledge
- The first you know about any of this is when the police call to arrest you for possessing and distributing child pornography
Sure, this is a worst-case scenario, but far from an impossible one. The attacker may choose to simply install some key logging software on your computer instead, that way he can steal your bank details and other personal information. He may also decide to subscribe your computer to a botnet to have it send out spam or launch DDOS attacks on other systems. What’s worse is that these JavaScript based attacks on broadband routers are not just theoretical, they are really happening.
The point is clear, by not having a password on their routers Eircom are opening their customers up to a world of trouble. I’d go so far as to call this criminal negligence from a company that absolutely should know better.
The second problem is their choice of encryption. For your privacy and protection it is vital that your wireless network be protected from eaves droppers and intruders by encrypting all the data that gets sent through the air. Once an attacker breaks into your wireless network they have direct access to all the machines on that network and are in a position to monitor all traffic on that network. Again, this gives the attacker an opportunity to collect personal or financial information, or to launch attacks against machines on your network to try take them over.
Eircom are not quite incompetent enough not to use any encryption, they are just using encryption that has been totally and utterly broken and now presents effectively no obstacle to an informed attacker. Eircom use WEP which provides about as much security as erecting a sign that says “please don’t rob me”. There are two things that make this all the worse in my opinion, firstly, the routers they supply DO support the actually secure WPA encryption scheme, and secondly, using WEP gives uninformed users the illusion of protection when in reality they are completely vulnerable.
Again, in my book, this amounts to totally unacceptable behaviour for an ISP.
Two Simple Steps To Protect Yourself
If you are an Eircom customer using their default setup you need to take two very simple steps to plug these two security holes:
- Set a password on your router’s administration interface
- Chance the encryption scheme from WEP to WPA with a Pre-Shared Key (PSK).
Update (30 April 2008): More detailed instructions on securing Eircom wireless routers are now available here.
Might be worthwhile sending someone in eircom an email with a link to this blog or just with the info from the blog.
Indeed.
Bart, can you do a basic HOWTO on your blog for people setting up Eircom ‘wireless’ broadband securely – nothing fancy but I imagine it’d be of use to some people.
We’re supposedly getting it in in two weeks and I DON’T want my machine connected to a dodgily configured router!!! π
Hi trekky, I would but it was my Grand Falther’s router in Cavan and I’m back in Maynooth. Had I been thinking ahead I would have grabbed screen shots while I was configuring it but sadly I didn’t.
The key though are to set a password on the router and to change the encryption from WEP to WPA with PSK. You have to change to the “Expert” mode on the interface and then you’ll find all these options in the interface somewhere.
Sorry I can’t be of more help right now.
Bart.
Paul, who in Eircom would I send it to? You remember trying to get in touch with anyone competent in there back when we were trying to get them to give up the SU’s domain a few years back. I’ve had a few dealings with them since, they are every bit as impenetrable as ever they were. Emails go un-answered and when you phone them they play a game of ‘pass the call’ with you. I don’t have an hour of my life to piss down the toilet ATM. Best I can do is warn users on this blog so that’s what I’m doing.
Just as a little update on this. For shits and giggles over lunch I decided to play a game of pass the call with Eircom. As I expected I got passed all round the place and eventually ended up with tech support who were none too keen to help unless I was the customer. Thankfully the guy was reasonable and in the end agreed to take my name and number and ask his supervisor to ring me. He insisted he couldn’t transfer me. I’m dead curious to see if I ever hear back.
I also contacted comreg who told me it’s not their area because broadband is Ireland is not regulated. They suggested I contact the National Consumer Agency and were kind enough to give me the number. So I’m gonna give them a shout now.
LMAO, oh this is fun. The National Consumer Agency don’t see it as their problem so they recommend the data protection commissioners. Now, I know this doesn’t fall under DPA. So, the only avenue left open is Eircom getting back to me.
Eircom tech support left me a voice mail while I was talking to the NCA to tell me it’s a matter for Eircom Customer Service and left a number. Lets see what becomes of this!
OK, got on to Eircom Customer care. Took a little while and, as Des would put it, I had to be the opposite of a door matt but a call has been logged and they took all the details of my complaint. I suggested adding the URL to this post into the call but the guy didn’t seem keen. Anyhow, now we play the waiting game again.
Eircom? Customer Care?
Now there’s an oxymoron
Bart,
I’ve never succeeded with them playing pass the call. That experience was horrible.
I suggest sending an email. It’ll be in writing and it’ll make someone there accountable if they actually reply. That in turn might get something done but only if they reply.
I wouldn’t mention the more serious aspects (i.e. child porn et al) until someone replies or you might not get a reply. You know how it is.
Try the address on this website:
http://home.eircom.net/contact/
See the general enquiry part:
General Query
If you are unable to find the relevant department to deal with your query, please e-mail [email protected] and we will try our best to help. We will either provide a response ourselves or forward your query to the appropriate department.
There is a call logged now so it should be making it’s way through the system. I think I’ll give that a week (seems a reasonable time) and then send a mail to that address and then perhaps a letter to their postal address by registered mail. There must be some way to get your message through to these people!
AFAIK you need SP1 or may by even SP2 for WPA to work with XP! (unless your adapter came with the required software)If Eircom supplied all routers with WPA it would cause more problems and increased support calls.
The router should have a password, but having a default one is of no use, with Eircom’s customer base.
Getting the customer to choose one doesn’t help either as they will forget it and support will then have to reset the router.
It wouldn’t be feasable to give customers specific passwords due to the volumes of routers in circulation not to mention the problems with replacements!
@least Eircom are providing their customers with some wireless security. There are other ISP’s who don’t even provide any wireless routers, and if they do, they have no security enabled by default.
We’ll see what Eircom has to say.
If you are not running a fully patched OS you should not be accessing the internet. You are nothing but malware fodder if you do! So, the whole “but people don’t have WEP” argument doesn’t work from a security stand point. Eircom simply need to specify in their minimum requirements that you must have your OS patched to use the wireless feature.
At the VERY least Eircom’s documentation needs to warn users of the serious limitations to WEP and provide instructions for setting up WPA. Simply lulling their users into a false sense of security is not on. It’s down-right immoral.
As for passwords, they already generate a separate SSID and WEP key for each router shipped, why can’t they then also generate a password?
Like you say we’ll see what Eircom come back with, if they come back at all that is.
[…] Eircom Exposes Its Broadband Customers to Serious Security Risks […]
I got a phone call today from Eircom telling me they will have a response in the post to me by tomorrow … wonder what it will be.
[…] note that this article is a follow-on article from two previous articles (Eircom Exposes Its Broadband Customers to Serious Security Risks and Eircom Security – More Bad News and Some Suggested Solutions). The previous articles lay out […]
My only safeguard was Eircom incompetent to actually send me out the wireless router. 2 years later and I’m still waiting… Luckily I had a NETGEAR router at home and don’t use WEP security.
is my modem ok or do i need to do something with the security ?
Donal,
I’m not psychic so I really cant tell what the story is with your particular modem. If it is set up to use WPA with a strong password then you have a reasonable security level. If you are an Eircom customer with a default setup then you need to go to the Eircom site and follow the instructions for updating your security settings because you probably are vulnerable.
Bart.
I am at present with Perlico and about to change to Eircom but now after reading the comments on your blog I will think again. I am unable to receive or send emails and Perlico don’t seem interested in helping. People like you Bart are needed. Thank you
Hi Reg,
If you can look after your own security then none of this is a problem. Now, the poor customer support is of course still a problem as are the generally low bandwidth limits but security is only an issue if you listen to Eircom.
If you are not a heavy user then Eircom can be a good option. Because Eircom actually own the infrastructure you tend to have less hassle because when things go wrong there’s only one party involved.
So far I have experience with DigiWeb, Eircom and ICE when it comes to broadband. I’d recommend DigiWeb over the other two. Had them for years in my last house and they gave a reliable and fast service. I’d put ICE at the very bottom of the list. I wouldn’t recommend them to my worst enemy!
Good luck with what ever you choose,
Bart.
eircom are a goddam joke, netgear/chorus/upc ftw!
and hey, just for shits and giggles….heres the default wep key generator for eircom,
http://s4dd.yore.ma/eircom/
sorry if im going completely against the grain here bart, but if people can SEE just how quickly owned that def wep can be, it will open their eyes.
+ they may get some free bandwidth for leeching π
wow, im scared of the fact im an eircom interweb user… can you please tell moi how you do the very simple thing of setting up a password on the eircom router whatnot..?
thank you
Hi Scared in SoHo, you’ll find instructions here: http://www.bartbusschots.ie/blog/?p=793
Best I can do,
Bart.
Am extremly amused by all the comments as i used to work for eircom when they still belonged to the irish people, back then before broadband it was acceptable to know feck all about pc’s but quite honestly i would be extremly embarresed to be like that now, considering that the irish boom that is now on its last legs was built on the I.T sector.
Folks, it is not at all as bad as the above posts would seem to indicate. Eircom do not put a password on your router when shipped to ensure folks who are not PC literate are not locked out of their own equipment. A password is very easy to add once you have setup the router. Also WPA, a much stronger encryption service is now default on all new routers. If one was to highlight issues with Eircom it is their capacity capability. Most of the secondary and tertiary exchanges are already at max capacity, and their engineers only have rudimentary knowledge of how the setups should be configured on the frames to optimise service and bandwidth allocation. I advise everyone using their service to run the test (Eircom’s own publicly available test) on this link : http://home.eircom.net/speedtest freequently and screendump the results into a Word document for future evisence. I think you will get a bit of a shock…!!
Hi John,
Things are not as bad as this ANYMORE. Eircom improved their security setup because it came under a lot of pressure to do so (this blog and my complaint to them MAY have played a small roll). The fact that they now use WPA rather than WEP as the default is a very good thing. Pitty news came out last week that WPA has been at least partially broken. Now it’s time to move on to WPA2.
Bart.